n the ongoing war against identity theft, individual battles are constantly being waged and won yet the overall threat evolves and remains still potent. The tactic in deterring identity thieves evolves also, as government legislation modifies previous government legislation to keep ahead of emerging trends.
One such evolving legislative act is the Fair and Accurate Credit Transactions Act (FACTA), which itself was an outgrowth of the Fair Credit Reporting Act. Created during the strong growth in credit lending, as banks became increasingly reliant on measures of creditworthiness in granting loans, the FCRA set out to standardize the customer creditworthiness checks and provided a method by which consumers could challenge some of the findings on those reports.
The FCRA still recognized the identity theft was a serious issue, and provided a way victims could erase any negative marks on their credit report that arose from identity theft. But it did nothing to stem the tide of identity theft cases -- until the addition of the FACTA rule.
It was on the last day of October of 2007 that Section 114 of FACTA was finalized; and a week later until was published. A testament to the newfound urgency in deterring identity theft, the section was developed in a joint effort between the Federal Trade Commission and five different Federal financial regulatory agencies, including the Office of the Comptroller of Currency and Federal Deposit Insurance Corporation.
Its Red Flag Rules explicitly mandated specific programs to identify weak points in creditor’s business models, as well as programs to quickly detect possible exploitations of these weaknesses. Finally, the rules called for developing a program which, by means of the first two would prevent and deter identity theft.
At the same time, realizing the identity theft expanded from just a few localized industries to penetrate just about every economic sector, the new statutes broadened the definition of covered creditors to include even non-financial ones: car and boat dealerships, telecommunications firms (think cellphone contracts), medical care providers and many others.
Several delays have pushed back the effective date of the Red Flags Rule, giving more times for businesses to prepare, but they are finally coming into force. That means if you haven’t paid attention to it before, and If your business provides covered accounts - “covering” the cost of a product or service until the buyer can pay back over time - these rules apply to you. You are now required to:
- Understand the risks specific to your industry or business sector.
Consider what kind of covered accounts does your business provides. How do the account holders open and access them? If, for instance, you run medical practice, your vulnerabilities lie in individuals seeking advice or treatment under false identities. They may present a social security card with a fake number (SSN ranges typically correlate to year of birth), or a document showing a different address than stated on their form. Employees handling such documents must be sufficiently trained in verifying them.
- Detecting possible “Red Flags” of Identity Theft
Once you have identified where the vulnerabilities to identity theft in your business lie, you can devote extra resources to plugging them. Returning to the case of the hypothetical medical practice, a patient presenting an obviously fake identity document would certainly raise some questions, as would the more subtle red flags such as medical histories inconsistent with treatment given, or a patient presenting bills for medical services they did not receive.
- Respond to Identity Theft
Long before uncovering possible incidents of identity theft, institutions must have in place a procedure to deal with them. This can include monitoring, and when appropriate closing or freezing questionable accounts, changing passwords of other security barriers associated with it, and notifying the customer of the potential breach.
While only you, as the most familar with your business, can figure out its potential vulnerabilities, you do have help with detection and response. Key to both, and highlighted by the FTC itself is reliable identity verification. This doesn’t just mean checking the document bearer’s name against the ID document, but mechanically checking the authenticity of that ID.